System and method for detection of malicious data encryption programs
Abstract
A method for detection of malicious encryption programs, the method comprising: intercepting, at a server, a file operation request from a client on a file stored on the server; collecting information about at least the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether the file operation request came from a known malicious encryption program; when the file operation request came from an unknown program, then calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; and calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A method for detection of malicious encryption programs, the method comprising:
intercepting a file operation request from a client device on a file stored on a server;
responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server;
collecting information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
determining based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server;
when the file operation request came from an unknown encryption program, calculating, by a hardware processor, a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
when the difference is below a threshold, allowing the file operation request of the unknown encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and
sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.
2. The method of claim 1 , wherein intercepting a request to access a file stored on the server includes, intercepting the request by a file system driver filter.
3. The method of claim 1 , wherein intercepting a request to access a file stored on the server includes, intercepting a system function call and one or more parameters of the call.
4. The method of claim 1 , wherein collecting information about the requested file and the file operation request further includes, collecting one or more of: type of the file operation request, and an application programming interface (API) function called.
5. The method of claim 1 , wherein, when the file operation request came from a known malicious encryption program, denying the file operation request on the file.
6. The method of claim 1 , wherein calculating entropies of at least a portion of the file includes, calculating entropies of at least portions of file headers before and after the execution of the requested operation on the file.
7. A system for detection of malicious encryption programs, the system comprising:
a server having a hardware processor configured to:
intercept a file operation request from a client device on a file stored on the server;
responsive to intercepting the file operation request, create and save a backup copy of the file at the server;
collect information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
determine based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server;
when the file operation request came from an unknown encryption program, calculate a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
when the difference is below a threshold, allow the file operation request of the encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise: block a connection between the client device and the server and restore the backup copy of the file at the server; and
send information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.
8. The system of claim 7 , wherein, to intercept the request to access a file stored on the server, the processor is further configured to intercept the request by a file system driver filter.
9. The system of claim 7 , wherein, to intercept the request to access a file stored on the server, the processor is further configured to intercept a system function call and one or more parameters of the call.
10. The system of claim 7 , wherein, to collect the information about the requested file and the file operation request, the processor is further configured to collect one or more of: type of the file operation request, and an application programming interface (API) function called.
11. The system of claim 7 , wherein the processor is further configured to deny the file operation request on the file when the file operation request came from a known malicious encryption program.
12. The system of claim 7 , wherein, to calculate the entropies of at least a portion of the file, the processor is further configured to calculate entropies of at least portions of file headers before and after the execution of the requested operation on the file.
13. A non-transitory computer readable medium storing computer executable instructions for detection of malicious encryption programs, including instructions for:
intercepting a file operation request from a client device on a file stored on a server;
responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server;
collecting information about at least the client device, the requested file and the requested operation, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
determining, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file requested operation on the server;
when the file operation request came from an unknown encryption program, calculating a difference between a first entropy of a header of the file before the execution of the requested operation and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
when the difference is below a threshold, allowing the requested operation of the encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise: blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and
sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, and wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.
14. The non-transitory computer readable medium of claim 13 , wherein intercepting a request to access a file stored on the server includes, intercepting the request by a file system driver filter.
15. The non-transitory computer readable medium of claim 13 , wherein intercepting a request to access a file stored on the server includes, intercepting a system function call and one or more parameters of the call.
16. The non-transitory computer readable medium of claim 13 , wherein collecting information about the requested file and the file operation request includes, collecting one or more of: type of the requested file operation request, and an application programming interface (API) function called.
17. The non-transitory computer readable medium of claim 13 , wherein, when the file operation request came from a known malicious encryption program, denying the file operation request on the file.
18. The non-transitory computer readable medium of claim 13 , wherein calculating entropies of at least a portion of the file includes, calculating entropies of at least portions of file headers before and after the execution of the requested operation on the file.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.